Wednesday, March 16, 2016

ClamAV Signature Interface maintenance is now complete! New Main.cvd!

Our ClamAV Signature Interface maintenance is now complete. While we apologize for the delay, the rollout of the the new Signature Interface inside of ClamAV will result in several new features for the community, and I wanted to tell you about some of them:

First, the first new “main.cvd” in about two years. This main.cvd has been completely re-written from scratch, and while the function of the “main” is largely the same, it’s been rewritten to not only enforce order to the signatures, but naming convention as well. For example:

W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan
Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor
Adware.Smshoax has moved to Win.Adware.Smshoax

Re-naming of the signatures may affect a local user’s whitelist. If you have excluded certain signatures in the past that are now firing, we ask that you both submit the file to us for false positive remediation (if you believe it to be a false positive), and rename the signature whitelist on your side.

This new main is 109Mb in size, and contains 4 million signatures for ClamAV. Now that the main.cvd has been rewritten, it is now easier for us to create diffs, which means upgrading the main more often, and making the “daily.cvd” smaller more often.

Second, we now have the ability to offer different types of CVDs. For instance, we now have the ability to distribute 3rd party signatures that are officially signed by ClamAV, but updated through the ClamAV global mirror network. If we wanted to separate out “policy” type signatures from the daily.cvd into their own cvd, we can now do that.

Third, while we have not removed some of the older signature formats, we did convert those older signatures to the newer formats to empty those older “cvd”s out.

For example:
“db" signatures were consolidated into “ndb" signatures
“zmd" and “rmd" archive signatures we moved to the “cdb" container signature format

These formats are not new, they simply have never been published before. This includes other formats such as “hsb", “msb", “sfp", and “crb". The older formats are supported for now, we are simply no longer publishing them.

Fourth, newer features, like the ability to write signatures based on the SHA256 of a file have been added to the system, and we can now publish that type of detection.